Using Access Control Lists
Summit 300-48 Switch Software User Guide 109
Rate Limits
Each entry that makes up a rate limit contains a unique name and specifies a previously created access
mask. Like an access list, a rate limit includes a list of values to compare with the incoming packets and
an action to take for packets that match. Additionally, a rate limit specifies an action to take when
matching packets arrive at a rate above the limit you set. When you create a rate limit, you must specify
a value for each of the fields that make up the access mask used by the list.
NOTE
Unlike an access list, a rate limit can only be applied to a single port. Each por t will have its own rate
limit defined separately.
For packets that match a particular list, and arrive at a rate below the limit, you can specify the
following action:
Permit
Forward the packet. You can send the packet to a particular QoS profile, and modify the packet’s
802.1p value and/or DiffServe code point.
For packets that match a particular list, and arrive at a rate that exceeds the limit, you can specify the
following actions:
Drop
Drop the packets. Excess packets are not forwarded.
Permit with rewrite
Forward the packet, but modify the packet’s DiffServe code point.
The allowable rate limit values for the 100BT ports are 1, 2, 3, 4 ... 100 Mbps, and for the Gigabit ports
are 8, 16, 24, 32...1000 Mbps.
NOTE
The rate limit specified in the command line does not precisely match the actual rate limit im posed by
the hardware, due to hardware constraints. See the release notes for the exact values of the actual rate
limits, if required for your implementation.
How Access Control Lists Work
When a packet arrives on an ingress port, the fields of the packet corresponding to an access mask are
compared with the values specified by the associated access lists to determine a match.
It is possible that a packet will match more than one access control list. If the resulting actions of all the
matches do not conflict, they will all be carried out. If there is a conflict, the actions of the access list
using the higher precedence access mask are applied. When a match is found, the packet is processed. If
the access list is of type deny, the packet is dropped. If the list is of type permit, the packet is
forwarded. A permit access list can also apply a QoS profile to the packet and modify the packet’s
802.1p value and the DiffServe code point.